The tragic events around the Ocean Gate Titan submersible disaster (18-June-2023) have many layers of the onion to peel away. This privately owned and operated submersible is believed to have imploded whilst on a journey down to the Titanic at 3800m water depth following a loss of communication.
If reports are true, then it beggars belief that anyone would choose to take any un-certified sub-maritime vessel to the depths of the Titanic, some 3800m of water, having only “tested” the submersible to 4000m. I would expect that most people outside of Engineering and Science would not really comprehend what such a pressure (circa 380 barg/380 atmospheres) physically is, or the risks they are taking at such a water depth.
It isn’t unreasonable for those signing any waiver to expect that those asking them to sign have done their due diligence and followed established engineering practices. If the quotes attributed to the now deceased Stockton Rush are accurate, then it (tragically) appears not.
Many things we do in life involve risks and hazards. Those risks/hazards often have associated severities and consequences, as well as an expected frequency of being likely to occur. I would hope that most of us in Engineering understand the Hazard Triangle, ALARP (As low as reasonably practicable) and ISD (Inherently safe design). For those who do not, then our esteemed colleagues at the UK HSE have articulated it far better than I believe I could ever do:
The cornerstone of what we do should be that it is done safely and with minimum impact/harm to people and the environment… as far as reasonably practicable. And there is that phrase again “as far as reasonably practicable.” We should take the time to consider what that means, and the basis of ALARP.
To quote the above mentioned HSE, ALARP is “short for “as low as reasonably practicable”. Reasonably practicable involves weighing a risk against the trouble, time and money needed to control it. Thus, ALARP describes the level to which we expect to see workplace risks controlled. “
Note that in the above diagram, BAT means “Best Available Techniques/Technology”.
Where possible, we should primarily look to remove the hazard: No hazard, no risk. If only life was that simple! If one chooses to travel to the depths of the ocean, then there is one hazard we cannot remove, only manage “as far as reasonably practicable” by design and practice. Where we cannot, we should seek to minimise/control the severity of those risks “as far as reasonably practicable”; or greatly reduce the frequency of such risks leading to catastrophe.
This of course assumes that people can and do understand the risks and are aware of and understand the severity, frequency and failure modes. As above, I would question whether those who chose to take the Ocean Gate Titan submersible were cognisant of the actual risk(s) they were taking when they signed the waivers prior to descending the depths of the ocean. To be able to evaluate a risk, one must understand it.
It seems here that (I would challenge) the failure mechanisms of the anisotropic carbon fibre tubular section of the Ocean Gate Titan submersible were not adequately understood and not comprehensively (enough) tested (OceanGate Was Warned of Safety Concerns with Titanic Mission – The New York Times (nytimes.com)). I know nothing about designing submersibles. I do however have an appreciation of what 360 barg pressure is and the consequences of such a hazard.
As an engineer, I absolutely would not “visit” the Titanic in an uncertified vessel, especially one that hasn’t gone through HAZOP and design verifications by independent bodies and Engineers who are knowledgeable about the design and operation of submersibles.
Given some of his public statements, some may question whether Ocean Gate’s CEO Stockton Rush was one of those people. As Stockton Rush did have an engineering degree (Aeronautical, I believe), then it is somewhat astonishing that he seemed to be dismissive of the Hazard Triangle, ALARP and ISD.
If true, then the statement associated to Stockton Rush as being “tired of industry players who try to use a safety argument to stop innovation” (Titan sub CEO dismissed safety warnings as ‘baseless cries', emails show – BBC News) is only marginally less astonishing than the quote (also attributed to Stockton Rush) “If you’re not breaking things then you’re not innovating”.
No Stockton Rush – safely does not “stifle” innovation – it should and does drive it. The more I read about the Ocean Gate Titan submersible tragedy, the more I shake my head in absolute disbelief as to how such a project ever got that far.
I found the statement from the now deleted OceanGate website (link no longer active) sobering, especially the claim of complete validation (“complete” being an absolute term):
“OceanGate CEO and Founder, Stockton Rush, completed Titan’s 4000-meter validation dive in December 2018. Not only did this dive completely validate Ocean Gate’s innovative engineering and the construction of Titan’s carbon fibre and titanium hull, it also means that all systems are GO for the 2019 Titanic Survey Expedition – the world’s deepest adventure – scheduled for June to August 2019.”
I would question any engineer who would or does make clams as absolutes. It is tragically ironic that the Titanic was once claimed to be “unsinkable” by Philip Franklin, White Star Line vice-president, 1912.
“There is no danger that Titanic will sink. The boat is unsinkable and nothing but inconvenience will be suffered by the passengers.” Phillip Franklin, White Star Line vice-president, 1912
An “absolute” is a long way off ALARP.
Consider how we as engineers pressure test – we take any vessel or pipe to 1.5 times the MOP (Maximum operating pressure) and design (with margin) for much greater than this (allowing for corrosion, stresses, etc).
That we do not take such pressure vessels/piping to their design pressure highlights the (reasonable) lack of faith in absolutes, and the need to include for pressure relief and safety systems into design.
Obviously, submersibles have nowhere to “relieve” such pressures to, so even more reason to practice ALARP and design with very conservative margins (and safety systems) given the one absolute we do have here are the hazards of the deep ocean.
Given the Titanic is at 3800m water depth, that is about 380 barg. 1.5 times “MOP” is 570 barg (5700m water depth) is what I would have expected the design team to have tested to as a minimum. This is well in excess of the (apparent) 4000 m “validation dive” Stockton Rush is quoted as claiming.
I would contest that this is not a “Validation Dive”, rather a preliminary “service test” that should have preceded additional dives to access the failure modes/mechanism of this vessel design to depths well in excess of the 4000m quoted on (the now deactivated) OceanGate web portal.
To only “test” something to circa 5% over it’s operational range isn’t a test, it is a leap of faith! Even more so when a relatively unused (in the application chosen) anisotropic composite material.
“Good engineering” would/should surely dictate testing any such vessel to destruction so as to determine what the actual design and failure pressures are and where the limits of the “Tolerable Risk Zone” exists (even before we get into cyclical stressing criteria, De-lamination loads and fatigue of these composite materials).
Part of this process must be to validate with repeatability the frequencies of failure upon demand and to “as far as reasonably practicable” those likely failure mechanisms within the “tolerable risk zone” of the ALARP Triangle.
To just “do it a few times” only shows that at “those times” it didn’t fail rather than to given insight as to those situations where it would fail (as apparently happened). Someone who knows far, far more than I do on this topic can be found on YouTube:
I have absolutely no idea if Ocean Gate did this? It does not appear that they did, nor adequately undertake sufficient destructive and non-detective testing. If it was me, then I would want a significant design margin on top of 1.5 MOP and many, many dive tests to 6000m+ water depth.
I would also not make my life dependent upon by something controlled by a video-game controller; rather would have expected to see back-up and SIL (Safety Integrity Level) rated systems with multiple layers of redundancy.
The parallels with the Petrobras P36 Floating Production Facility Sinking (20 March, 2001 – reference www.drillingformulas.com ) and death of 11 facility workers are sobering given the common lack of any detailed hazard analysis that might have identified failure mechanisms and modes.
Perhaps Ocean Gate have these in relation to the Titan and have chosen not to make public? It is interesting what the October 2008 NASA ViTS Meeting Presentation drew as it’s conclusions from this P-36 event (www.sma.nasa.gov):
- Poor design Placement of key safety-critical parts
- Component failure without sufficient backups
- Lack of training and communication
- Focus on cost-cutting.
We await further information as to the Ocean Gate Titan submersible disaster before we can see how many of these are applicable. One point to note as to this NASA presentation, and as a quote I hope ALL engineers will take to heart is:
“Efficiency and performance should not supersede the need and continuous pursuit of safe operations”.
Perhaps had Stockton Rush read this and considered such, then perhaps the Ocean Gate Titan submersible loss wouldn’t have occurred? It seems a tragedy that should have and could have been avoided had standard engineering hazard identification and controls been employed.
Taking any vessel to 3800m water depth is always going to have risks that cannot easily be mitigated – as highlighted by the obvious elephant in the room that the US military and their billions of dollars of research funds DON’T take their submarines to such depths.
By comparison, most military submarines are limited to about 500m water depth, less than 15% of the depth of the Titanic.
Safest option would always be to not visit the Titanic in the first place.
Just because you can, does not mean that you should.
